Every year new types of DDoS attacks are identified. As with all internet security threats, DDoS attacks continually evolve and certain methods become more popular than others. There are a variety of factors which drive the popularity of certain types of attacks. Popularity factors include overall effectiveness, resource requirements, launch simplicity, and available tools. Recently, six types of DDoS attacks are becoming a clear favorite among attackers.
1. UDP Flood
A UDP (User Datagram Protocol) flood leverages the flexibility of UDP because it is a session-less network protocol. By flooding random ports on a remote host, the attacker forces the host to repeating check the application listening to the port. When no application is found, the network responds with an ICMP Unreachable packet. The process of sending millions of ICMP Unreachable packets in a short amount of time requires tremendous host resources. The end result is inaccessibility.
2. Ping Flood
A Ping Flood or ICMP Flood operates on a similar principle as the UDP flood. It overwhelms the target resource with ping packets (ICMP Echo Requests). The attacker will send ping packets as quickly as possible without waiting for a reply from the target host. The benefit of this type of attack is it consumes both incoming and outgoing bandwidth. The incoming bandwidth is consumed by the attackers ping packets and the outgoing bandwidth is consumed by the victim’s servers trying to respond with ICMP Echo Reply packets.
Slowloris is an especially dangerous DDoS attack if the host server is running Apache, Tomcat, GoAhead Webserver, or dhttpd. Unlike broad attacks on the system, Slowloris is a highly targeted attack which allows one web server to take down another without affecting other ports or services on the target’s network. Slowloris holds a large number of connections open for an extended period of time and sending only partial requests. The target server keeps the false connection open because it is waiting for the request to be completed. Eventually this leads to an overflow of the maximum current connection pool.
4. Ping of Death
A POD (Ping of Death) attack is extremely simple to instigate. The attacker sends multiple malicious pings to a computer. The maximum packet length of an IP packet is typically 65,535 bytes however the Data Link Layer often imposes smaller limits, such as 1500 bytes over an Ethernet network. The attacker sends a large IP packet which is then split across multiple IP fragments. To complete a POD attack, the recipient ends up with a packet larger than 65,535 bytes once the fragments are put back together. This causes a memory overflow causing a denial of service for legitimate packets.
5. Zero-Day DDoS
Zero-Day attacks are unknown or new attacks designed to exploit application vulnerabilities which do not have an available patch. Finding new vulnerabilities is a popular activity in the hacker community, so the popularity of using newly discovered vulnerabilities in a DDoS attack shouldn’t be surprising.
6. SYN Flood
The final type of DDoS attack that is currently popular is the SYN Flood. This attack exploits a well-known weakness in the TCP connection sequence. The TCP connection sequence is a three-way handshake. A SYN request initiates a TCP connection with a host. During a SYN flood, the requester sends multiple requests by not respond to the host’s SYN-ACK response. The host system becomes stagnate waiting for an acknowledgement from each of the request which soaks up system resources until no new connections can be made.
A managed services provider to protect you against such attacks to be considered can be found at: https://www.datafoundry.com/managed-services/ddos/